Sunday December 30, 2012
A big step to end data abuse
By HARIATI AZIZAN
From Tuesday, companies have three months to put measures in place before they can collect and use consumers’ personal data for any commercial transactions.
IT has been work around the clock for the Personal Data Protection Department (JPDP) since its launch early this year.
With the challenge of recruiting the “right” personnel, however, it is an achievement that they got any work done.
It was challenging to attract candidates with the specific qualification and training they needed, admits JPDP director-general Abu Hassan Ismail.
But finally, Abu Hassan is happy to say, the department is two days away from being fully operational with the enforcement of the Personal Data Protection Act (PDPA) on Tuesday.
These past few months, the JPDP has been holding consultations with various industries to communicate its message – data users (individuals or organisations who handle personal data) including banks, hospitals and telecommunication providers, should get ready for the law.
“They need to be proactive. Companies have to put the necessary things in place to comply with the law, such as a compliance plan,” he says.
“Every company has to come up with their own compliance plan as each has own unique activities – trade or business – in relation to how they use and process their data.”
This is crucial as from Jan 1, data users have only three months to comply with the Act, Abu Hassan stresses.
Their compliance plan will have to take into account seven principles that safeguard data subjects’ (consumers’) privacy.
What many ordinary consumers are looking forward to most is the end of harassment from pesky telemarketers goading them to buy a service or good as well as other unsolicited SMSes and e-mails.
The PDPA was passed in 2010 to regulate the processing of personal data in commercial transactions.
Personal data here is defined as any information that relate directly or indirectly to a consumer, including any sensitive personal data recorded, stored and used in respect of commercial transitions.
The JPDP has identified around 250,000 data users in the country, which are divided into 12 sectors from communications to insurance, health, banking and education to direct selling.
The sectors have also been tagged based on their risk factor, such as banking and health, adds Abu Hassan.
Each sector has been given the task of coming up with their own code of practice in meeting the requirements of the law.
Data users’ main priority once the Act is enforced is to register with the department, in order to allow them to collect and process personal data.
At the stipulated fee, data users can obtain a one- to three-year-certification.
“This certificate will act like a trust mark, and the data users are required to display their certificate of registration visibly, especially the high-impact industries like banking.
“In the long run, we hope to develop a directory to enable the public to check if a company is data-protection compliant,” he says, adding that most of the identified data users have already been informed of the registration requirement.
Anyone who need to know more about the Data User Registration Regulations and guidelines or clarification on the codes and other principles of procedure under the law can contact the department’s Registrations and Operations Division in Putrajaya.
Other guidelines that are in the works include guidelines on the Personal Data Protection Principles and the definitions of certain terms and clauses in the Act such as “consent” and even “commercial transactions”.
Abu Hassan is confident that most industry players are prepared for the Act. The authorities have made it business-friendly, he assures.
“We tried to strike a balance between the security of people’s personal data and the competitiveness of businesses. It’s not our intention to kill the business people.
“(We were aware that) if the restrictions are too tough, it will kill businesses, but if the standards are too low, it will cause the mishandling or abuse of personal data and threaten the privacy of the general public,” he says.
Next on the department’s agenda is to educate the end-user or data subjects on their rights to personal data protection, as well as how to exercise those rights.
The JPDP has been conducting various programmes to raise awareness around the country but more needs to be done, he shares.
One thing that consumers need to know is that data users will not only need to notify the data subjects but would also need to obtain their consent before they can collect and process their personal data.
This means consumers have the right to check their personal data with a particular company to ensure it is not used for any other purposes, including being sold to a third party.
“We are also talking about quality data here, so accuracy is important,” Abu Hassan says, highlighting that consumers may also at any time withdraw any consent previously given to the data user.
Once in force, the Act makes it a criminal offence for data breaches, including revealing personal data to third party telemarketers. It carries a maximum two-year jail punishment and/or fines up to RM300,000.
Once the three-month grace period is up, the JPDP can take action against data users who breach or have not complied with the law.
Members of the public can also lodge their personal data grouses to the department.
However, Abu Hassan advised complainants to seek redress with the companies or individuals in question before considering the courts.
“If you are still not satisfied with the response or the action taken by the particular organisation, you can lodge a complaint directly to the JPDP,” he adds.
If not relevant to the Act, the complaints will be forwarded to the specific agencies to help those who feel that their privacy has been violated.
“We will work hand-in-hand with the respective regulators to address the problems. For example, if it is related to telecommunications, it will be handled by the MCMC, while cyber crime will be handled by the police,” he says, pointing out that there are various legislations that can be used to take action against personal data breaches such as the Communications and Multimedia Act 1998 and the Credit Rating Agency Act 2010.
The main challenge for the department, however, is to keep up with the rapidly changing, complex and borderless cyber landscape.
While the PDPA has been acknowledged as comprehensive by experts, it will have to deal with constant technological developments.
In countries where a similar law is already in force such as France and the United States, concern about how long personal information can be stored by data users has led to a debate on a possible “Right to Forget” principle which will give consumers the right to have their personal information removed from a data user’s storage after a specific period. This is not stipulated in Malaysia’s personal data act.
Another concern is the growing cybersecurity threat.
Ng Kai Koon, senior manager (Government Affairs, Asia Pacific and Japan) at Symantec Corporation, highlights that cyber attack threats have grown since 2010 (when the Act was gazetted), with small businesses the most vulnerable due to their less secure systems.
What we need is a Mandatory Breach Notification in the Act, he says, a provision that is being considered by many countries who have either implemented a personal data act or are in the process of doing so.
“Mandatory breach notification gives a definitive course of action to companies in the case of a data breach. Informing affected stakeholders will give them the chance to take the required remedial actions such as changing passwords, or having their financial institutions change their credit card numbers to mitigate the consequences of the breach,” he says.
Abu Hassan gives assurance that the department is monitoring the ever-evolving cyber landscape to identify new challenges and needs of both data subjects and data users.
“The enforcement of the Act is only one step towards the protection of personal data; we will need to conduct a policy study later and see what needs to be done to strengthen the Act,” he says.
“Ultimately, considerations will be made to balance security of consumers with the requirements of the industries and businesses.”
Next week: What should consumers do under the new Personal Data Protection law?
What you need to know about the PDPA